CVE-2026-4030
wpengine · Database Backup for WordPress
The Database Backup for WordPress plugin is vulnerable to unauthorized arbitrary file read and deletion due to a missing authorization check.
Executive summary
A critical vulnerability in the Database Backup for WordPress plugin allows unauthenticated attackers to read or delete arbitrary files on the server.
Vulnerability
This is a missing authorization vulnerability (CWE-862) within the plugin, allowing unauthenticated remote attackers to perform unauthorized file operations, including reading sensitive configuration files or deleting critical system data.
Business impact
Successful exploitation allows an attacker to compromise the integrity and confidentiality of the WordPress installation. With the ability to read arbitrary files, attackers may exfiltrate database credentials or sensitive configuration files, while file deletion capabilities can lead to a complete denial-of-service or system instability. The CVSS score of 8.1 reflects the high severity of potential impact on system availability and data integrity.
Remediation
Immediate Action: Update the "Database Backup for WordPress" plugin to version 2.5.3 or later immediately.
Proactive Monitoring: Review web server access logs for anomalous requests targeting plugin-specific PHP files or directories, particularly those involving unexpected file system paths.
Compensating Controls: If immediate patching is not possible, disable the plugin entirely until an update can be applied to prevent unauthorized access.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
The vulnerability represents a significant risk to site integrity. Administrators should prioritize the update to version 2.5.3 immediately to close the authorization gap and prevent potential file system manipulation by unauthorized parties.